How to prevent a single client to access a certain subnet in OpenVPN

Hi,
I made an openvpn tunnel (TUN) on tun21 between my work place (192.168.10.0/24) and a remote user.
The OpenVPN server is on TomatoShibby AIO-116 (192.168.4.0/24) and its WAN is connected to my workplace internet.

There are at least three (types) of clients that are supposed to connect to the OpenVPN server which resides in my workplace.

Just at the begining let's assume every client is one person with static ip address on tun network (10.8.0.0/24)
then I might consider more clients for each type (translates to dynamic IP addresses with different subnets 10.8.t.0/24 t=1,2,3)

Just assume we have a client for each of the types
First client has CN (common name) client_remote (192.168.42.0/24) and it resides far away but its internet is forwarded from WorkPlace OpenVpn server (its tun11 address is static 10.8.0.0.69)

Second client has CN client_user (192.168.12.0/24) and it also resides far away but its internet it should use it own internet (its tun11 address is static 10.8.0.0.101)

Third client has CN client_admin (192.168.1.0/24) and it also resides far away but ints internet must come from workplace (its tun11 address is static 10.8.0.0.201)

A the client_admin ,client_user andclient_remote .ovpn config file has following options:...
daemon
server-bridge
proto tcp-server
....
For simplification (since I am going to add more users in those three different categories user,admin and extra) I made following options enabled on the server side (not client custom file):....
client-to-client
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
...
What I want to do is to let following privileges:

1- client_extra can connect to openvpn server side 192.168.4.0/24 but not to 192.168.10.0/24 and the internet most come from workplace (192.168.10.1 gw)
2- client_user can connect to 192.168.4.0/24 and 192.168.42.0/24 but not 192.168.1.0 (client_admin) and the internet of client_user most not come from workplace (192.168.10.1 gw)[uses its own internet].
3- client_admin can connect to 192.168.4.0/24 and 192.168.42.0/24 and (192.168.12.0/24) but not the internet of client_admin most come from workplace (192.168.10.1 gw).

I have googled a lot and I read that setting client-to-client and bridged mode is not recommended ,
and setting the firewall setting automatically is not adviced and I have to make own firewall rules.

But I will get to trouble if any of the groups (admin,users,extra) grows in number, maybe using differnt subnets such as 10.8.0.x,10.8.1.x,10.8.2.x are adviced but in fact I do not know how to setup the iptables or ebtables configuration for every subnet to make that possible.
So I have iptables firewall setting problem that I could not figure out how to implement.

And by the way can I put following linespush "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
separately in ccd (custom config file) for every client that I want to get internet from workplace!?

This makes no sense. You're defining a bridged (tap) OpenVPN tunnel on the server (server-bridge), but defining routed (tun) tunnels on the OpenVPN clients (10.8.x.0). These must be consistent between the client and server.

This makes no sense. You're defining a bridged (tap) OpenVPN tunnel on the server (server-bridge), but defining routed (tun) tunnels on the OpenVPN clients (10.8.x.0). These must be consistent between the client and server.

Click to expand...

Thanks for your reply,
In my configuration on both server and client sides I did not use TAP device (everything is TUN)